malware caused by Bearshare

10 posts in this topic

I mistakenly downloaded Bearshare. Subsequently I was getting a Bearshare Search page in Chrome and IE and error messages when I opened certain apps. I decided to remove Bearshare by the Add / Remove program option.

As you would probably expect, things haven't quite returned to normal. My system restore option was cleared BEFORE the date of Bearshare installation. System Restore now appears to be capturing system restore points as per normal now.

When I click on one of my favourite programs: Voipbuster I get the error: The procedure entry point isthreaddesktopcomposited could not be located in the dynamic link library USER32.dll.

I downloaded Dependency Walker and the following calls are made early on in the profile. It also says that these paths/programs do not exist:

c:\progra~1\bearsh~1\mediabar\datamngr\DATAMNGR.DLL

c:\progra~1\bearsh~1\mediabar\datamngr\IEBHO.DLL

Is someone please able to tell me where I go from here? Am I able to surgically remove those calls? I have tried reinstalling Voipbuster but that makes no difference. If someone could let me know (simply) why reinstallation of voipbuster does not make any difference that would be appreciated.

I have included the dependency walker process tree as an attachment. No I haven't, it said I wasn't allowed!!

Share this post

Link to post

Share on other sites

That's the strange thing. I did download another version of user32.dll and it made no difference! How does one tell which module is making those Bearshare calls? Is it the one immediately above the calls?

Share this post

Link to post

Share on other sites

That's the strange thing. I did download another version of user32.dll and it made no difference! How does one tell which module is making those Bearshare calls? Is it the one immediately above the calls?

And are you going to post WHICH exact version you are now using or is this info considered confdential?

Share this post

Link to post

Share on other sites

There has been a development. I rerun SFC with the original XP system disk and I don't get the User32.dll error any more when I start Voipbuster (The procedure entry point isthreaddesktopcomposited could not be located ...). The strange thing is is that I did run this before but it did not previously solve the problem.

When I now run Voipbuster in dependency walker I can see that it is still trying to make those calls to bearshare modules (Remember that I have re-installed Voipbuster). Where are those calls being made from, system modules (that should have been replaced by SFC) or Voipbuster (that has been reinstalled)?

Share this post

Link to post

Share on other sites

Before I read your email I downloaded Hijack This and did a search of the registry and found and deleted a few bearshare entries. This appears to have worked well. It has been a learning curve for me and I still don't understand how the registry works. Are there any tools to lock down the registry so that rogue apps can't change it?